mariadb: declarative roles and users

[ip1981]

If user/role is not in nix expressions, it should be deleted from the mysql database (done for roles only, for users this behaviour should be optional). A role/user gets only privileges specified in nix expressions, other privileges, if any, are revoked (done for roles granted of other roles).

Only legit MySQL statements must be used (GRANT / REVOKE), editing the mysql database is prohibited, while SELECT is ok.

User passwords, if any, must not be altered

REVOKE ALL, GRANT OPTION ... is not allowed, because of time gap when user has no privileges, or, if it's a role, many users can't work. Same for deleting and recreating a role.